Session description: Sessions at the Internet Governance Forum during previous years have shown the areas of concern known as “security,” “openness” and “privacy” are of equal value, equal importance and equal complexity. In 2010, instead of segregating this theme into three silos, the organizers of IGF decided to set aside a main-room session that would address specific timely issues and investigate them in the light of security, openness and privacy considerations. The issues covered were derived from earlier IGF-2010 workshops and through discussion with workshop sponsors.

September 16, 2010 - Three moderators with expertise in policy discussions in these realms – Frank La Rue, the United Nations’ special rapporteur on the promotion and protection of the right to freedom of opinion and expression; Lisa Horner, coordinator of the Freedom of Expression Project, tied to human rights and communications; and David Hoffman, director of security policy and global privacy officer at Intel Corporation – led the discussions on the three themes in relation to the issues.

La Rue led the discussion of the evolution of social media and its implications for security, openness and privacy.

Horner moderated the segment of the session that covered the nature and characteristics of Internet networks, technologies and standards.

Hoffman led plenary participants in the session segment tied to international collaboration on security, privacy and openness.

Feeder workshops included: Managing the Network; The Future of Privacy; Sexual Rights, Openness and Regulatory Systems; Freedom of Connection – Freedom of Expression; Freedom of Expression or Access to Knowledge – Are We Taking Necessary Steps Towards an Open and Inclusive Internet?; Freedom of Expression and Internet Intermediaries; Protecting the Consumer in an Online World; Developing a Policy Understanding on Information Security – Glocal (Global and Local) Perspective; Legal Aspects of Internet Governance: International Cooperation on Cybersecurity; and Public-Private Cooperation on Internet Safety/Cybercrime.

Technical architecture is key to retention of openness

Alejandro Pisanty, a leader of the Internet Society and the National University of Mexico, said the discussion of openness as a key value of the Internet should be more technically grounded. “The human rights approach is undeniable once you state it, but if it does not have a traction, a chain, a technical grounding in what an open Internet means it may easily become too vague to be useful and lead to some serious weirdness,” he said.

“We need these debates to be technically grounded. We have to go up into the higher spheres of principles about the way humankind should develop and come down to a technical basis. The end-to-end principle, the interoperability principles, are key to the way the Internet is built and governed, and they have to be present in these debates. It’s not just the basic concept of openness that works.”

Pisanty, the author of a study of the security discussions in the first four years of IGF, said he found there is a time lag of at least two years between discussions and the sharing of ideas in the IGF and the accomplishment of results, and “I am revising this figure to seven years when it comes to basic security principles – we have a need to have more exchange and make sure that there’s more technical knowledge infused into the debate.”

Co-moderator Horner brought up online traffic management and asked if “it’s OK if certain types of content are given priority across the Internet” … “I know there’s concern that this will be used only for commercial gain and there’s a worry that this might undermine some of the openness of networks – we need to look at whether there are security or privacy issues here as well.”

David Satola of the World Bank reported back from a workshop on international collaboration on legal issues of cybersecurity. In their deconstruction of the status quo, the discussants in that session noted that threats emerge from many points of origination, including outdated “architecture, and a dissonance of policy and legislative approaches that make international collaboration and cooperation on certain levels difficult.”

He said the group agreed with Pisanty. “We need to adapt a more resilience-based approach instead of a perimeter-security approach,” he said most participants noted. “We need to better understand the incentives of different actors involved, and those include economic incentives and personal incentives. I would reiterate in that regard the points made about building capacity of law enforcement personnel and the engagement of the private sector through public-private partnerships.

Vladimir Radinovich of DiploFoundation shared details from a feeder workshop on network neutrality held the day before. He noted that five key points emerged:

technological evolution changes now the network is managed, especially when it comes to wireless networks and serving the next billion users;

principles of non-discrimination of data, transparent operations, choices of services are all values people would like to retain;

companies offering new business models will push for prioritization of advanced services – will this impact the Internet?

the development of more transparency of companies that want to profit from being Internet intermediaries so they do not serve as chokepoints or bottlenecks;

the need for more formal participation from people from developing countries so they can raise their concerns about network management and network neutrality.

Radinovich noted that approaches to the idea of transparency in point four were split. “Business supports competition and case-by-case resolution of problems,” he said. “On the other hand, regulators mentioned that soft law might be the best way, basically the coordination of stakeholders to reach the principles that all should respect and that can be guided by the regulators … pure competition-based regulation of network management might not always be best because competition is not always available in developing countries.”

Time is an important element in security matters

A number of session participants mentioned that action takes place too quickly on the Internet for some forms of regulatory action to be effective and they also said the evolution of online tools is too rapid for specific cyberlaws to be the best solution to many problems.

Alun Michael, a member of the UK Parliament, said law enforcement and industry can’t cooperate and achieve the best security outcomes without involving members of parliaments and civil society.

“Otherwise there is no transparency and accountability,” he said. “We need a new model other than the traditional forms of legislation, which cannot – nationally or internationally – keep up with the Internet. It should be industry-led with government engagement including law enforcement but with MPs and civil society providing the accountability, resulting in minimum legislation, minimum regulation but maximum cooperation, maximum delivery and maximum transparency. And that’s the IGF process, not just the event once a year but the process including the meetings at the regional level.”

He used the example of the UK approach to sites that are abusive of children. “The system of notification and take-down has worked,” he said. “We haven’t had to legislate because there’s a system that everybody is aware of, and it is working well.”

Co-moderator Hoffman added, “The speed with which malicious actors are innovating the threats does not lend itself very well to a legislative process, and the time that is required for thoughtful legislation to be passed is not optimal. It can’t be the sole activity to address these threats.”

Control is tightened by different actors for different reasons

Patrik Hiselius of Nordic and Baltic telecommunications company Teliasonera asked if a degree of traffic management is necessary, “can we agree on certain principles, limitations or boundaries?” he asked, adding that there are threats to openness on the Internet and pointing to leading issues illustrated in a September 4 article by The Economist titled “The Web’s New Walls.”

“Governments are tightening controls,” he read, sharing key points from the lead to the story. “Internet companies are building walled gardens like closed e-mail systems and integrated Web-based services. Apps on your display offer a more closed world than Web browsing. When it comes to operators and openness, net neutrality is difficult to define and enforce, and efforts to do so merely address the symptom – concern about discrimination – rather than the underlying cause – lack of competition.”

He said companies have to be transparent in their operations and added that nondiscrimination should be continuous, “all content and application services should flow across networks, this said, all types of applications will not be included in all price models in all offerings but be provided as options – that is obvious already today on the mobile side.”

The co-moderator overseeing contributions from remote participants in this session, Kieren McCarthy, said one of the remote participant hubs shared that in their country Internet service providers are being pressured by the film industry to cut off service to users who use Torrent software to prevent copies from being downloaded. “It’s another side of the debate – commercial pressures put on ISPs in order to prevent copyrght violations, restricting to a certain degree the openness of the Internet,” he said.

Kurt Opsahl of the Electronic Frontier Foundation noted that “citizens are directly impacted by Internet intermediary liability and obligations because of the diversity of information and opinion online is hosted and transited by intermediaries.”

“User-generated content websites have provided a tremendous amount of culture and value, but they cannot function under a regime where somebody has to look at and review and analyze the material before it goes online. A notice-and-takedown regime that removed content before judicial determination can become a de facto censorship and a serious blow to freedom of expression. The most appropriate role for intermediaries is limited to simply forwarding notices of alleged problems to the customer and then allowing the judicial system to determine the subsequent action. This includes protecting the anonymity of the user.”

The moderators’ opening remarks

Horner had led the session off by explaining how the plenary was planned. “These three themes are often seen as being incompatible with one another,” Horner said. “They are often seen as incompatible, as competing rather than complimentary goals.

“While tensions do exist, we’d really like to explore how these issues can interrelate with each other and complement each other. Do they have to be ‘zero sum’ in they way they are often treated? I think an open Internet can also be a secure one in which the privacy of citizens is respected. But how can we achieve this in practice? How can we make these three issue areas really work for each other and support each other?”

She noted that human connection on the Internet can’t be accomplished without trust and security. “How can we foster the continued evolution of an Internet ecosystem that continues to support creativity, expression and knowledge sharing in new and exciting ways while also protecting and promoting privacy and security?” she asked.

Hoffman said at Intel he has the opportunity to work with some of the engineers who are developing the amazing technology tools that are causing disruptive change. He noted that computing devices are becoming more prevalent and they are thus influencing most of the waking hours of people who are connected online.

“There could be 15, maybe 20 devices during the day that all look different,” he said. “This is going to be a connected computing continuum, and in most cases we’re going to be using the Internet as the backbone of that connectivity for individuals’ participation in their personal and business lives.”

He noted that remote data and application storage – also known as “cloud computing” will become more relied upon. He reminded participants in the discussion that everyone must try to operate within the global digital infrastructure, which has its country-specific regulation, siloed policy structures and other challenges to overcome for success. He said “trust” is a big part of making that all work out.

“How do we provide a reasonable basis for people’s trust?” he asked. “How do we provide reasonable privacy and security for individuals and entities using this computing continuum?”

He said there has to be a balance between privacy and security, and he tied it into what he sees daily as a global policy professional. “We are going to have to put better privacy compliance processes and transparency in place so things come into balance, that there’s more on the security side and more on the privacy side,” he explained. “How do we provide respect for differing cultures and different regulation within specific countries while providing harmonized regulation so as to not disrupt the computing continuum?”

La Rue emphasized the human rights perspective in his opening remarks. He noted UNESCO’s call for a “culture of peace” and said, “For the first time we have a truly global means of communication around the world, very fast, very effective. That should transform the world for the better, with more respect for human rights and not less.”

He said he didn’t agree with Hoffman that “balance” should be sought between privacy and security. “A ‘balance’ seems to say that you are giving in one to achieve the other,” he said.

“Systematically. I think we have to begin by saying, number one, that privacy is a right. It’s a fundamental right of anyone and it is a permanent right. And security is a necessity for exercising all rights. So it doesn’t mean we have to give away our right to privacy or we have to give away the protection of security or a right to security. We have to see how we can enhance both simultaneously and not allow that one erodes the other.”

Social networks and openness, privacy and security

Co-moderator La Rue noted that “social networks began as sort of a friendly experiment and all of a sudden exploded around the world, because they responded to a necessity of human communication.”

He opened the floor to comments. Cynthia Wong of the Center for Democracy and Technology said it is important to note that online social media are quite different from traditional media. She said user choice and control distinguish this form of discourse.

“These distinct attributes undermine a lot of the justifications for regulating traditional media,” she said. “They play an indispensible role in enabling free expression, civic engagement and a range of our rights on the global Internet. Of course the openness of these platforms also means they can be used for ill as well as good. So how do we address this reality in a way that preserves openness and protects privacy and security? Laws that hold the platforms themselves responsible for the bad behavior of users hurt the expressive potential of the platforms and will also have a negative impact on openness and the privacy of users.”

She said companies that provide social media platforms do have a responsibility to protect the privacy and security of users and she noted that there’s an evolving framework by which companies are beginning to accomplish this. She promoted the work of the Global Network Initiative in encouraging fair information practice principles and privacy frameworks.

Google’s Davidson talks about transparency and security

Allen Davidson, director of public policy for Google, said he would really be echoing Wong’s point.

“Social media creates these incredible challenges,” he said, “but it also gives us the tools to address many of them. Users themselves are the creators of content. Individuals are. Google operates YouTube. Every minute on YouTube, 24 hours of video is uploaded. Every minute on our Blogger product 270,000 words are uploaded. Every minute. This creates huge challenges.”

He said the three areas in which ground can be gained are privacy, safety and openness.

“We have the ability to create tools that give people transparency and control and protect their security,” he said. “It is essential from an industry point of view that we provide privacy, because people will not use our products if they do not trust them. We can give people the tools of control to protect themselves and their children and their communities. And, regarding openness, interoperability is essential in this media.

“Industry can’t do this alone. We need the help of government. A lot has been said in some of the sessions about free expression and the dangers and risks to free expression around the world. We need governments to help us to protect free expression. We need more transparency from governments when they are asking for content to be removed or asking for data about users.

“We need good legal regimes that allow social media to develop, particularly protections around intermediary liability. We do not want a world where the providers of social media services are themselves forced to be gatekeepers. Freedom and openness on the Internet is not an inevitability. It is something we all have to work for.”

Council of Europe is looking to tie level of regulation to functions

Thomas Schneider, the information society coordinator at the international affairs department of the Swiss Federal Office of Communication represents his government in spaces such as IGF and ICANN. He spoke about his work as the chair of the Council of Europe’s expert group assessing how to regard new media.

“The traditional approach to regulating media needs rethinking and … by regulation I do not mean control,” he said, adding that the aim of the discussion is to “help these actors to fulfill their role in guaranteeing and promoting freedom of expression and information.”

He noted that there are some new actors in social media and other emerging media who fulfill the same roles as traditional media did and yet some also perform a range of functions. “It might not be easy to say if you’re a medium or you’re not a medium or you’re just an intermediary,” he explained. “The regulation should be adequate to the function. Not overregulation or underregulation. We are trying to have – at least for Europe – a commonly shared notion of the media system as it is now with these new actors who are changing and technical development that is changing based on the functions.”

He said the COE group sees value in classifying the level of regulation according to functions. “For some functions you need an exact regulation, for other functions you let people act and then if something bad happens you react,” he said. “Maybe you have binding regulations for things like child pornography. Maybe you have soft-law provisions for things that are more dependent on cultural diversities between societies where you just give guidance. So there is a range of graduated regulation from very strict legal provisions to recommendations on how you should behave.”

He added that it should be clear who is liable for illegal activity online. “The more transparent and the clearer the words are to the people working in the media system, the better freedom of expression is protected,” he said.

Security presents challenges; intermediaries also raise issues

Vytautas Butrimas of the Lithuanian Ministry of Defense rose to say he didn’t think security issues were being taken seriously enough at IGF. “I don’t see any evidence of this being addressed at this conference,” he said, noting that three significant global cybersecurity events took place in a five-year span: the 2007 cyberattack on Estonia; a military action in 2008 against another country that caused a disruption in the Internet; and the growth of social networks, where “you can organize a cyberarmy, you can focus a targeted attack, you can be a government or an individual and do this. You can rent a botnet for 100 Euros a day and attack a country’s infrastructure.”

“The way security is handled will have an effect on openness and privacy,” he said. “If we don’t do anything about reducing at least some of these freedoms – for example, you can’t shout ‘fire’ in a theater, you can’t burn the Koran in public – there has to be some mechanism for enforcement.”

Maja Rakovich of the Centre for Research at the University of Belgrade reported back on the feeder session titled

“Freedom of Expression and Internet Intermediaries.” She noted that there is a lot of attention being paid to the uptick in challenges tied to the social, economic and human rights impact of Internet intermediaries, citing examples they heard from Italy, Estonia, Thailand, Pakistan, the United States and other countries.

“We need to take into account that there are different categories of intermediaries and they play different roles in enabling communication and free flow of information on the Internet,” she said. “Clear roles and principles should be defined in regard to different stakeholders. There have been legal uncertainties and transparency and arbitrary decisions around the world that can have a chilling effect on freedom of expression and Internet intermediaries. It is necessary to have transparency, legal certainty and due process. There’s a lot of work to be done on this complex issue.”

She noted that work is already being carried out by the Council of Europe, UNESCO, the Global Network Initiative, the Association for Progressive Communications, the Electronic Frontier Foundation and others and that the partners who organized the session will continue to work on the issues. “We’re trying to develop some common agreements about basic principles we should start on with this,” she said.

Co-moderator La Rue apologized for the fact that during the hasty discussion of so many large issues there were some aspects that went uncovered. “There were many other things that didn’t develop – the security question, the profiling, the stereotyping, the use of information on the Internet to target people, geolocation, or even the right to delete or the right to forget issues,” he said.

Xianhong Hu, representing UNESCO, shared a brief report on two “freedom”-themed feeder workshops it helped host. She said a UNESCO commission reported “that with growing access to information in cyberspace, there is censorship and filtering done not only by government organizations but also by private companies, which have diverse goals and values – we need to explore their relations.”

She said participants in the initial workshop said other aspects of this realm that should be analyzed are industrial policy and regulation (such as copyright), user-centric approach (such as child-protection policy), net-centric policy (such as linking to internationalized domain names), and security policy in regard to its relationship to privacy and freedom of expression.

“The second workshop focused on how to find applicable standards and legislation of social media,” she said. “Participants have shared good practices on privacy protection – some legal and regulatory instruments for social networking have been developed to protect users’ right to inform, to leave and to control their own data, but there are still many questions.

“How do we promote freedom of expression in the same global environment? The challenge of applying the instruments exists in the discrepancies between the legal frameworks of online territory and the real world.”

“We reach 500 million people in more than 70 languages, accessible all around the world,” he said. “Users are engaged in a wide variety of activities, including very important political speech, and that includes countries like Indonesia that we’re hearing from at the moment, and that has been a quite significant step forward.”

He said organizations that run such services already do pay close attention to privacy, uses of personal data and other issues.

“It’s a mistake to think it’s an unregulated space,” he said. “Today if you’re running a service there’s a wide range of regulation on everything from privacy to illegal content to advertising and commercial regulation that – if you want to be around for a few years – you have to respect, and we work with regulators and different authorities on a daily basis.”

Openness, free flow of information of highest value

Co-moderator Horner led off her segment of the discussion – a look at networks, technology and standards – by asking people to share their ideas of what values characterize the Internet.

Throughout the event, the moderators occasionally also asked for input from a person in the room who was appointed to act as the representative of people who were following the session online and wanted to respond or ask questions. For instance, a group watching from a remote hub in Dhaka wrote that they believe “openness makes the Internet what it is – intelligence at the edges and not from the center is what makes the Internet spread, makes it possible, makes it valuable.”

Co-moderator McCarthy, speaking in general to summarize remarks of the remote participants, said: “They feel there are enough borders, divisions and boundaries already in place. They say the thing that makes the Internet so terrific in that it enables communication in a way the current political systems have never managed. Very broadly, we spoke to more people from Cameroon, Argentina… I asked them what they felt the characteristics of the Internet are that we need to preserve. Almost to a person, they said openness, the openness of the Internet, the lack of ability to control the Internet, and the free flow of information is what makes the Internet so valuable.”

Among the suggestions from people on site in Vilnius for IGF, Bill Smith of PayPal listed openness, inclusivity, collaboration, experimentation and voluntary as key values or principles; John Laprise of Northwestern University in Qater said his students value freedom of expression online.

Horner said the point is to try to illuminate ideals tied to the best balance for regulation. “What systems are in place and what can we do better?” she asked. “What are the roles and responsibilities of different stakeholders? Do we need the same kinds of regulation that we’ve had, perhaps with additional media? How are the issues different? How can we get the balance right?”

Open standards and interoperability and security, openness

Pranesh Prakash of the Internet Society in Bangalore to talked about technical standards and the principles being discussed. “Our choice of infrastructure determines what can be built on top of it,” Prakash explained. “The rules by which our interactions take place themselves present policy implications. Our choice of network standards based on the end-to-end principle determines how censorship can and cannot take place on the Internet.

“Standards determine how governmental departments interact among themselves and how citizens can interact with their government, thus having implications on citizens’ rights. Some policy implications are in the realm of access – for persons with disabilities, for instance, can your screen reader understand what is written on the Web?

"Can your government afford, in all senses of that word, to use a proprietary standard? Some policy implications are in the realm of the rights of consumers. Can you as a consumer download your data stored in Gmail or Facebook and move it to different systems? This raises a question of interoperability and openness which is often a short form of saying: allow for innovation on top of existing infrastructure.”

Technical aspects of the Internet architecture are generally established formed by bodies such as the Internet Engineering Task Force and the World Wide Web Consortium in a transparent, inclusive and participatory process that is open.

Prakash said, however, “Open standards are not sufficient. Even if a government uses open standards, if it doesn’t allow for transparent interaction with citizens the open standards do not fulfill their potential. Even if a social network stores user-uploaded data in an open standard it can still choose to prevent its users from downloading this data or from accessing this data using third-party tools.

“The Internet Governance Forum provides an ideal process and platform to push for issues that require reflection on such interconnected issues.”

International cooperation and security, privacy and openness

Co-moderator Horner led a discussion on openness. Two different individuals from Sweden stood up to speak about the importance of human rights and freedom of expression.

Johan Hallenborg noted that Sweden has initiated a cross-regional statement in the Human Rights Council on human rights and the Internet. “More than 100 bloggers and activists are in jail for merely expressing their views on the Internet,” he said. “Although we believe that there is no need for new human rights, we are convinced that international cooperation on these issues is the only way forward. A critical mass of governments and other stakeholders must agree to make this happen.”

Francisco Sosa Wagner, a deputy in the European Parliament, noted that it adopted a resolution in June 2010 to note that data protection legislation requires a global response, that the Internet propagates the democratic values of free expression, cultural diversity, education, access to information and respect for privacy.

Jorg Polakiewicz of the Council of Europe said there are many excellent global documents outlining values and principles, “We don’t have to replace them, to throw them away, they have stood the test of time,” he said. “But we have to complement, to adapt them, and this work will be carried out in the coming years.” He reminded everyone that Data Protection Day will take place Jan. 28, and in 2011 it will coincide with the 30th anniversary of the Council of Europe’s Convention 108, tied to protection of personal data.

Alvaro Galvani of the Brazilian government mentioned that his country has produced a set of 10 guiding principles for governance and the use of the Internet, introduced at a special session at IGF 2010 and two of these are related to this discussion: recognition of principles of freedom of expression, individual privacy and respect for human rights; and preservation of the stability, security and overall functionality of the Internet, encouraging consistency with international standards and the adoption of best practices.

Susan Morgan of the Global Network Initiative – a coalition of companies, NGOs, academics and individual supporters – said GNI is encouraging the development of mechanisms and expertise to assist Internet intermediaries address “the human rights risks they’re facing in their businesses.”

She spoke briefly about a framework developed to guide information and communication technology companies when they are faced with requests that may violate human rights to privacy or free expression. While she did not cite any specifics in the session, the most-visible example of the conflict over open access to information and free expression in 2010 is the conflict between Google and China.

“Underpinning the framework are three things,” she said. “The first is an accountability process to assess the way in which companies are implementing the framework. The second is policy engagement. The final is shared learning in a safe space, to really explore the issues and develop best practices.”

Co-moderator La Rue said keeping a human rights focus is important. “Ultimately the most important instruments of human rights are part of that worldwide consensus that has been advanced and that is moving,” he said. “We build upon that.”

Zooming in on security as it relates to the flow of information

The discussion was moved by co-moderator Hoffman to addressing how more collaboration and standards setting might contribute to greater security.

Markko Kunnapu from the Estonian Ministry of Justice, chair of the Council of Europe’s Cybercrime Convention Committee, said that in order to cooperate there have to be some standards. “We need a certain legislative base, a certain level of harmonization to cooperate,” he said.

“In terms of criminal justice, we have minimum standards in place already, quite widely applied all over the world – standards provided by the Cybercrime Convention or the Budapest Convention or plenty of other instruments and best practices. The IGF as a forum, as a multistakeholder process, has been very helpful to achieve those results we have right now. The standards are there in the Budapest Convention and they need to be applied by the states and I encourage states to join that club.”

Alexander Seger, also of the Council of Europe, introduced a number of points that were made on the topic at the three workshops related to cybercrime, cybersecurity and cybersafety.

“Tools, common standards and workshops are already available and applied in many countries,” he said, “but full implementation of all of these globally is the best way to help countries deal with cybercrime. There is a strong need for capacity building to help countries implement what is already there, and a stronger involvement, a stronger contribution from development cooperation agencies is required. We should make cybercrime an issue of development cooperation.”

Seger said more work has to be done in defining which groups must be involved in partnerships to combat negative uses of the Internet and roles and authorities must be established.

“What can they do and what can they not do?” he asked. “What is the legal basis in order to prevent and disrupt attacks, prosecute criminals, investigate fraud, confiscate proceeds from crime? There are many other questions.”

He said that in several of the workshops the analogy of a criminal setting a house on fire was used. “We said, of course, the first priority is to put out the fire, to mitigate the impact, but if you know that the same person puts many houses on fire, then probably the most effective way to sole the problem is to go after that offender. If you know 100 criminals around the world are responsible for more than 90 percent of the fires you should cooperate to go after the 100 criminals.”

He noted that laws and regulation should not interfere with human rights. “It was raised in several workshops that criminal law is not only there to deter crime and catch criminals, but also to prevent abuse of power, to establish safeguards and conditions in procedural law and ensure due process is followed and that rule of human law and human rights are respected,

Seger said there is a need for stronger cooperation between ICT communities and criminal justice communities when designing measures against cybercrime.

“Perhaps we should think about a mechanism, a sort of cybercrime action task force or something similar to mobilize resources for capacity building and monitor progress made by countries in taking measures against cybercrime,” he concluded.

McCarthy, the co-moderator taking comments from remote participants, said they were expressing mixed support for global security standards.

“People were drawing a distinction between standards that are really just best practices guidelines and standards put in place by countries … misdirected or draconian measures that some governments put in place in an effort to provide greater security for them and their citizens.” He also said people were commenting that “if you have standards then [bad actors] find standard ways to get around them.”

Is legislation best answer for safety, users’ rights?

Martin Boyle of Nominet summarized an earlier workshop that was really an open discussion about Internet users personal security and rights. Points he brought up from that:

The engineers of the technical architecture of the Internet have been working on solutions in response the attack on Estonia and other breaches of the infrastructure.

Specific issues in cybersecurity and cybercrime should be identified in narrow classifications so practical steps can be taken in regard to them, “otherwise you have a massively broad area to address and you just can’t cope.”

Units of the technology sector are motivated to address these issues to retain their good reputations and retain trust.

There should be capacity building in regard to the responsibilities of digital citizenship, “people need to understand the consequences of what they’re doing, the implications of actions they are taking, education is very, very important.”

Legislation is not the best solution. “We haven’t solved crime in the offline world,” he pointed out. “We do need to be quite realistic. Business needs to take its responsibility and show leadership and there is a share responsibility for safer and security and shared ownership leads to a partnership for prevention.”

Wim Rullens of the Ministry of Economic Affairs in The Netherlands said the discussion in an earlier workshop on public-private cooperation in fighting cybercrime also concluded that passage of cyberlaws will not stop most negative acts online.

“Public and private parties can work together on solutions to combat and prevent cybercrime through cooperation and self-regulation, avoiding the need for new regulation on top of already-existing laws,” he reported back, adding that governments are interested in this approach because “they know laws rarely prevent what they forbid, and private parties are interested in cooperation because they want to avoid new regulation, be responsible and have a good corporate image.”

Rullens and Wout de Natris of the Telecommunication Authority of The Netherlands shared a success story. They described the work of the Cybercrime Working Party, a joint effort of RIPE NCC, the FBI, the European Union, public prosecutors on cybercrime for a number of countries, and others, to take a multistakeholder approach to build trust between parties and generate common forms and standards. They suggested the 2011 IGF would be a good place at which to host a neutral solutions-seeking session that also involves industry people.

Other points raised in this earlier workshop:

Starting small and learning by doing works best. Don’t try to solve everything at once. “See what is working and what is not.”

ISPs have engaged in the fight against cybercrime, “but sometimes authorities tend to stretch the definition from action that is clearly illegal to action that is unwanted, and that’s a much more subjective criteria.”

The focus should be on prevention, including awareness.

We need to move industry, government and civil society from action in isolation to action in collaboration and “from suspicion to trust.”

Harmonizing privacy standards globally

Christine Runnegar of the Internet Society reported back from an earlier workshop titled “The Future of Privacy.” Among the formal privacy discussions and documents already in place are the OECD Privacy Guidelines, European Convention 108, the European Data Protection Directive and the US Federal Trade Commission’s series of privacy roundtables. Due to time constraints, she listed a series of key points emerging from the “Future of Privacy” session.
People should work toward a convergence of global privacy principles, both technical and regulatory, that are better adapted to the characteristics of the Internet.

International cooperation between data-protection authorities should be improved and resources should be allocated to enforcement.

Key challenges include the differences between cultures in regard to privacy issues and the difficulties introduced by the vast number of jurisdictions and conflicts of law. “Privacy is a broad subject with limited international consensus,” she noted.

Transparent architectures that support secure private information and enable information sharing in a secure, privacy-enhancing manner “are fundamental to effective privacy.” Privacy considerations should be incorporated in system design while still allowing for innovation and maintaining the openness of the Internet.

Data protection must take into account many different rights. “The concept of accountability means that the obligation flows with the information,” she said. “It may be accomplished with tools, practices, contracts, et cetera, and not just by laws.”

She noted that the Madrid Resolution on international standards of protection of personal data has been a useful guide for developing countries.

“Privacy by design is a concept of people, practices and technology,” she said. “You need to look at all of these from the beginning. And, finally, search engines should be instruments of free, accurate and accessible democratic knowledge. In order to ensure this it is important to include liability exceptions for intermediary service providers in new, revised privacy principles.”